[Gambas-user] CRYPT function - a little help please?

Tobias Boege taboege at ...626...
Fri Aug 25 10:29:04 CEST 2017 

On Thu, 24 Aug 2017, mikeB wrote:
> eGreetings,
> I THINK I understand that the "Crypt" function is used to encrypt a password
> that can be checked
> by challenging user input (asking to input the password). Verifies plain
> text against encrypted data -
> It can NOT be decrypted.
> 
> 
> ?1 = where does this encrypted file (or string) exist after created? in the
> "shadow" file perhaps?
> 
> 
> ?2 = I am using the following lines of code for testing - I must not
> understand what I'm doing
> cuz does not seem to do as expected:
> 
> userid = "xcodex"
> Crypt.MD5(userid, "abcdefgh")
> cked = Crypt.Check(userid, "abcdefgh")
> Message.Info(cked)
> 
> cked ALWAYS returns "T" no matter how the code values are changed. Doc says
> "True" = not found?
> 
> 
> ?3 = could someone give me a couple lines of code to perform this function?
> learning by example ;-)
> 
> 
> $4 = what's your opinion if this method is a secure way to store/ verify a
> users entry password?
> 
> Thank you very much for any help - it is GREATLY APPRECIATED!
> mikeB
> 

First of all, don't reply to a message from the mailing list when you want
to start a new topic. It's not enough to just change the subject line.
Write a brand new email instead. Both your questions about encryption ended
up in the humongous thread about Gambas switching to Gitlab.

Now to your questions:

(1) Crypt does not operate with files. It takes an input password and
hashes it, returning the hash. It does just this one thing and leaves
storage to you -- because a hash function should not be concerned about
storage.

(2) In light of the answer to (1), you are ignoring the return value of
Crypt.MD5(). This return value is the password hash which you need to get
into a variable and use in a call to Crypt.Check(). Crypt.MD5() doesn't
magically associate a hashed version of "abcdefgh" with "xcodex".

(3) Here:

  Public Sub Main()
    Dim s As String

    s = Crypt.MD5("secret", "salt5678")
    Print s

    Print Crypt.Check("test", s)
    Print Crypt.Check("secret", s)
  End

  >> $1$salt5678$eRxLEhWQsIei43/wfY66J/
  >> True
  >> False

(4) You should have read the site about good password hashes I gave you
last time. It explicitly says that MD5 is NOT a good hash for passwords.
MD5 can be used for quick file integrity checks, not passwords.

Regards,
Tobi

-- 
"There's an old saying: Don't change anything... ever!" -- Mr. Monk

More information about the User mailing list